This document describes how to form an IPSec tunnel from a Linux-based
PC running the Cisco VPN Client to a Cisco VPN 3000 Series Concentrator so that
you can access the network inside the concentrator securely.

The information presented in this document was created from devices in
a specific lab environment. All of the devices used in this document started
with a cleared (default) configuration. If you are working in a live network,
ensure that you understand the potential impact of any command before using
it.

Connect to the VPN Concentrator console port and verify that there
are IP addresses assigned to the private (inside) and public (outside)
interfaces. Also verify that there is a default gateway assigned so that the
concentrator can forward the packets for the destinations that it does not know
about to the default gateway.

To assign an available range of IP addresses, point a browser to
the inside interface of the VPN 3000 Concentrator and go to
Configuration > System > Address Management > Pools >
Add. Specify a range of IP addresses that do not conflict with any
other devices on the inside network.

To tell the VPN Concentrator to use the pool, go to
Configuration > System > Address Management >
Assignment, and check the Use Address Pools box.

Configure an IPSec group for the users by going to
Configuration > User Management > Groups > Add and
defining a group name and password. The example below uses group name
"ipsecgroup" with the password/verify as "cisco123."

On the Groups General tab, select
IPSec.

On the Groups IPSec tab, set the authentication to
Internal.

Go to Configuration > User Management > Users >
Add, and add a user to the previously defined group. In the example
below, the user is "ipsecuser" with the password "xyz12345" in the group
"ipsecgroup."

Navigate to the /etc/CiscoSystemsVPNClient/Profiles directory where
VPN connection profiles are stored.

Open a new profile file by either copying the sample profile to a
new name or by creating one from scratch. In the example below, the sample .pcf
file was copied, renamed, and edited.

Edit the newly named .pcf file to include the following
information.

A new description that will identify the connection

A new host IP address that will be the IP address of the public
interface of the VPN 3000 Concentrator

A new group name that will need to match the group configured in
the VPN 3000 group setup

A new user name which is the same user name that is configured on
the VPN 3000 Concentrator that coincides with the VPN Group on the concentrator

Save the file and exit.

From the command prompt, use the vpnclient connect
ipsec command to connect to the VPN Concentrator using the IPSec
.pcf file. You will be prompted to enter the group password. This is the same
password that was configured on the VPN 3000 Concentrator (password "xyz12345",
in this example).

If the connection is not successful, please see the
Troubleshooting section
below.

Below is troubleshooting information relevant to this configuration.
Follow the instructions below to troubleshoot your
configuration.

Create a global profile, if one does not already exist in the
/etc/CiscoSystemsVPNClient/ directory. The global profile should look like the
example below.

Note: Verify that each one of the log levels is set to "3"; this will
ensure that the highest level of logging can be achieved.

From the command prompt, use the
/usr/local/bin/ipseclog command to start the IPSec
log utility and to move the information in that log to a directory and file of
your choice. In this example the file is named clientlog.txt, and it is in the
/etc/CiscoSystemsVPNClient directory:

In a separate window, use the tail -f
(for filename) command to get a constantly updated snapshot of
the clientlog.txt file while you are connecting to gather debug
information.

The usual cause of this problem is that the filter is missing from
the public interface. It should usually be the public filter (but can be the
private filter; "none" is not valid). Go to Configuration >
Interfaces > Ethernet 2 > Filter and make the filter "public" or
another value (that is not "none").

IPSec Not Selected

The error message is the following:

Unable to negotiate IPSec or host did not respond.

The VPN 3000 concentrator debug shows the following:

Terminating connection attempt: IPSEC not permitted for group <group>

The usual cause of this problem is that IPSec is not selected on the
group. Go to Configuration > User Management > Groups
><group>>Modify> General tab and verify that IPSec is
selected under Tunneling Protocols.

The usual cause of this problem is that the user does not exist in
the user database. Make sure that you are entering the correct user name when
the user authentication screen is displayed.

Missing Default Route

The VPN 3000 concentrator debug shows the following:

Filter missing on interface 0, IKE data from Peer x.x.x.x dropped

The usual cause of this problem is that the default route is missing.
Make sure there is a default route in the configuration. Go to
Configuration > System > IP routing > Default Gateway
to specify the default gateway.

No IP Address Option

The error message is the following:

Your IPSec connection has been terminated by the remote peer.

The VPN 3000 concentrator debug shows the following:

User [ >user< ]
IKE rcv'd FAILED IP Addr status!

The usual cause of this problem is that there is no option checked to
give the client an IP address. Go to Configuration > System >
Address Management > Address Assignment to select an option.

Different Passwords

The error message is the following:

User authentication failed

The VPN 3000 concentrator debug shows the following:

The calculated HASH doesn't match the received value

The usual cause of this problem is that the group password on the
client is different than the password configured on the concentrator. Check the
passwords on both the client and the concentrator.

If the VPN 3000 concentrator's filters allow this traffic, then a
device between the client and the concentrator could be blocking some of these
ports (perhaps a firewall). To verify, try connecting to the concentrator from
the network immediately outside the concentrator. If that works, then a device
between the client PC and concentrator is blocking the traffic.